<?xml version="1.0" encoding="utf-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> encoding="UTF-8"?>

<!-- updated by Chris 07/20/20 -->

<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.3.8 -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC8612 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8612.xml">
<!ENTITY RFC8782 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8782.xml">
<!ENTITY RFC8783 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8783.xml">
<!ENTITY I-D.ietf-dots-multihoming SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-dots-multihoming.xml">
]>

<?rfc rfcedstyle="yes"?>
<?rfc toc="yes"?>
<?rfc tocindent="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc docmapping="yes"?> "rfc2629-xhtml.ent">

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-dots-use-cases-25" category="info"> number="8903" submissionType="IETF" category="info" consensus="true" obsoletes="" updates="" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3">

  <!-- xml2rfc v2v3 conversion 2.47.0 -->
  <front>
    <title abbrev="DOTS Use Cases">Use cases Cases for DDoS Open Threat Signaling</title>
    <seriesInfo name="RFC" value="8903"/>
    <author initials="R." surname="Dobbins" fullname="Roland Dobbins">
      <organization>Arbor Networks</organization>
      <address>
        <postal>
          <street></street>
          <city></city>
          <code></code>
          <street/>
          <city/>
          <code/>
          <country>Singapore</country>
        </postal>
        <email>rdobbins@arbor.net</email>
      </address>
    </author>
    <author initials="D." surname="Migault" fullname="Daniel Migault">
      <organization>Ericsson</organization>
      <address>
        <postal>
          <street>8275 Trans Canada Route</street>
          <city>Saint Laurent, QC</city> Laurent,</city>
	  <region>Quebec</region>
          <code>4S 0B6</code>
          <country>Canada</country>
        </postal>
        <email>daniel.migault@ericsson.com</email>
      </address>
    </author>
    <author initials="R." surname="Moskowitz" fullname="Robert Moskowitz">
      <organization>HTT Consulting</organization>
      <address>
        <postal>
          <street></street>
          <street/>
          <city>Oak Park, MI</city> Park</city>
	  <region>MI</region>
          <code>48237</code>
          <country>USA</country>
          <country>United States of America</country>
        </postal>
        <email>rgm@labs.htt-consult.com</email>
      </address>
    </author>
    <author initials="N." surname="Teague" fullname="Nik Teague">
      <organization>Iron Mountain Data Centers</organization>
      <address>
        <postal>
          <street></street>
          <city></city>
          <code></code>
          <country>UK</country>
          <street/>
          <city/>
          <code/>
          <country>United Kingdom</country>
        </postal>
        <email>nteague@ironmountain.co.uk</email>
      </address>
    </author>
    <author initials="L." surname="Xia" fullname="Liang Xia">
      <organization>Huawei</organization>
      <address>
        <postal>
          <street>No. 101, Software Avenue, Yuhuatai District</street>
          <city>Nanjing</city>
          <country>China</country>
        </postal>
        <email>Frank.xialiang@huawei.com</email>
      </address>
    </author>
    <author initials="K." surname="Nishizuka" fullname="Kaname Nishizuka">
      <organization>NTT Communications</organization>
      <address>
        <postal>
          <street>GranPark 16F 3-4-1
          <street>3-4-1 Shibaura, Minato-ku</street>
          <city>Tokyo</city>
	  <extaddr>GranPark 16F</extaddr>
          <region>Tokyo</region>
          <code>108-8118</code>
          <country>Japan</country>
        </postal>
        <email>kaname@nttv6.jp</email>
      </address>
    </author>
    <date year="2020" month="July" day="05"/> month="September"/>
    <area>Security</area>
    <workgroup>DOTS</workgroup>
    <keyword>Internet-Draft</keyword>

<keyword>example</keyword>

    <abstract>
      <t>The DDoS Open Threat Signaling (DOTS) effort is intended to provide
protocols to facilitate interoperability across disparate DDoS
mitigation
Mitigation solutions. This document presents sample use cases which that describe
the interactions expected between the DOTS components as well as DOTS
messaging exchanges. These use cases are meant to identify the
interacting DOTS components, how they collaborate, and what are the
typical information to be exchanged.</t> exchanged is.</t>
    </abstract>
  </front>
  <middle>
    <section anchor="introduction" title="Introduction"> numbered="true" toc="default">
      <name>Introduction</name>
      <t>At the time of writing, distributed denial-of-service (DDoS) attack
mitigation solutions are largely based upon siloed, proprietary
communications schemes with vendor lock-in as a side-effect. side effect. This can
result in the configuration, provisioning, operation, and activation of
these solutions being a highly manual and often time-consuming process.
Additionally, coordinating multiple DDoS mitigation Mitigation solutions
simultaneously is fraught with both technical and process-related
hurdles. This greatly increases operational complexity which, complexity, which in turn, turn
can degrade the efficacy of mitigations that are generally highly dependent on  on
      a timely reaction by the system.</t>
      <t>The DDoS Open Threat Signaling (DOTS) effort is intended to specify
protocols that facilitate interoperability between diverse DDoS
mitigation
Mitigation solutions and ensure greater integration in term terms of
attack detection, mitigation requests, and attack characterization patterns.</t>
      <t>As DDoS solutions are broadly heterogeneous among vendors, the
primary goal of DOTS is to provide high-level interaction amongst
differing DDoS solutions, such as detecting DDoS attacks,
initiating/terminating DDoS mitigation Mitigation assistance, or requesting the
status of a DDoS mitigation.</t> Mitigation.</t>
      <t>This document provides sample use cases that provided input for the requirements <xref target="RFC8612"/> target="RFC8612" format="default"/> and design of
the DOTS protocols <xref target="RFC8782"/><xref target="RFC8783"/>. target="RFC8782" format="default"/><xref target="RFC8783" format="default"/>. The use cases are not exhaustive exhaustive, and future use cases are
expected to emerge as DOTS is adopted and evolves.</t>
    </section>
    <section anchor="terminology-and-acronyms" title="Terminology numbered="true" toc="default">
      <name>Terminology and Acronyms"> Acronyms</name>
      <t>This document makes use of the same terminology and definitions as
<xref target="RFC8612"/>. target="RFC8612" format="default"/>. In addition addition, it uses the terms defined
below:</t>

<t><list style="symbols">
  <t>DDoS
<dl newline="true" spacing="normal">
<dt>DDoS Mitigation System (DMS): A (DMS):</dt><dd>A system that performs DDoS mitigation.
Mitigation. The DDoS Mitigation System may be composed of a cluster of
hardware and/or software resources, resources but could also involve an orchestrator that
may take decisions make decisions, such as outsourcing some or all of the mitigation to
another DDoS Mitigation System.</t>
  <t>DDoS Mitigation: The System.</dd>
<dt>DDoS Mitigation:</dt><dd>The action performed by the DDoS Mitigation System.</t>
  <t>DDoS System.</dd>
<dt>DDoS Mitigation Service: designates Service:</dt><dd>Designates a service provided to a
customer to mitigate DDoS attacks. Each service subscription usually involve
Service Level Agreement (SLA) that has to be met. It is the responsibility of
the DDoS Service provider to instantiate the DDoS Mitigation System to meet
these SLAs.</t>
  <t>DDoS SLAs.</dd>
<dt>DDoS Mitigation Service Provider: designates Provider:</dt><dd>Designates the administrative
entity providing the DDoS Mitigation Service.</t>
  <t>Internet Service.</dd>
<dt>Internet Transit Provider (ITP): designates (ITP):</dt><dd>Designates the entity that
delivers the traffic to a customer network. It can be an Internet Service
Provider
(ISP), (ISP) or an upstream entity delivering the traffic to the ISP.</t>
</list></t> ISP.
</dd>
</dl>
    </section>
    <section anchor="use-cases" title="Use Cases"> numbered="true" toc="default">
      <name>Use Cases</name>
      <section anchor="use-case-1" title="Upstream numbered="true" toc="default">
        <name>Upstream DDoS Mitigation by an Upstream Internet Transit Provider"> Provider</name>
        <t>This use case describes how an enterprise or a residential customer
network may take advantage of a pre-existing relation with its ITP in order to mitigate a DDoS attack targeting its
network.</t>
        <t>For clarity of discussion, the targeted network is indicated as an enterprise
network, but the same scenario applies to any downstream network, including
residential and cloud hosting networks.</t>
        <t>As the ITP provides connectivity to the enterprise
network, it is already on the path of the inbound and outbound traffic of
the enterprise network and is well aware of the networking parameters
associated to with the enterprise network WAN connectivity. This eases both the
configuration and the instantiation of a DDoS Mitigation Service.</t>
        <t>This
section considers two kinds of DDoS Mitigation Service between an
enterprise network and an ITP:</t>

<t><list style="symbols">
  <t>The
        <ul spacing="normal">
          <li>The upstream ITP may instantiate a DDoS Mitigation System (DMS) DMS upon
receiving a request from the enterprise network. This typically
corresponds to the a case when the enterprise network is under attack.</t>
  <t>On attack.</li>
          <li>On the other hand, the ITP may identify an enterprise network as the
source of an attack and send a mitigation request to the enterprise DMS
to mitigate this at the source.</t>
</list></t> source.</li>
        </ul>
        <t>The two scenarios, though different, have similar interactions between
the DOTS client and server. For the sake of simplicity, only the first
scenario will be detailed in this section. Nevertheless, the second scenario is also in scope for DOTS.</t>
        <t>In the first scenario, as depicted in Figure 1, <xref target="fig-1"/>, an enterprise network
with self-hosted Internet-facing properties such as Web web servers,
authoritative DNS servers, and VoIP Voice over IP (VoIP) servers has a DMS deployed to
protect those servers and applications from DDoS attacks. In addition to
on-premise DDoS defense capability, capabilities, the enterprise has contracted with
its ITP for DDoS Mitigation Services when attacks
threaten to overwhelm the bandwidth of their WAN link(s).</t>

<figure><artwork><![CDATA[
<figure anchor="fig-1">
<name>Upstream Internet Transit Provider DDoS Mitigation</name>
        <artwork name="" type="" align="left" alt=""><![CDATA[
    +------------------+        +------------------+
    | Enterprise       |        | Upstream         |
    | Network          |        | Internet Transit |
    |                  |        | Provider         |
    |      +--------+  |        |             DDoS Attack
    |      | DDoS   |  | <=================================
    |      | Target |  | <=================================
    |      +--------+  |        |  +------------+  |
    |                  | +-------->| DDoS       |  |
    |                  | |      |S | Mitigation |  |
    |                  | |      |  | System     |  |
    |                  | |      |  +------------+  |
    |                  | |      |                  |
    |                  | |      |                  |
    |                  | |      |                  |
    |  +------------+  | |      |                  |
    |  | DDoS       |<---+      |                  |
    |  | Mitigation |C |        |                  |
    |  | System     |  |        |                  |
    |  +------------+  |        |                  |
    +------------------+        +------------------+

       * C is for DOTS client functionality
       * S is for DOTS server functionality

    Figure 1: Upstream Internet Transit Provider DDoS Mitigation
]]></artwork></figure>
]]></artwork>
</figure>
        <t>The enterprise DMS is configured such that if the incoming Internet
traffic volume exceeds 50% of the provisioned upstream Internet WAN
link capacity, the DMS will request DDoS mitigation Mitigation assistance from the
upstream transit provider. More sophisticated detection means may be considered
as well.</t>
        <t>The requests to trigger, manage, and finalize a DDoS Mitigation between
the enterprise DMS and the ITP is performed are made using DOTS. The enterprise
DMS implements a DOTS client while the ITP implements a DOTS server server,
which is integrated with their DMS in this example.</t>
        <t>When the enterprise DMS locally detects an inbound DDoS attack targeting
its resources (e.g., servers, hosts, or applications), it immediately
begins a DDoS Mitigation.</t>
        <t>During the course of the attack, the inbound traffic volume to the enterprise network exceeds the
50% threshold threshold, and the enterprise DMS escalates the DDoS mitigation. Mitigation. The
enterprise DMS DOTS client signals to the DOTS server on the upstream ITP
to initiate DDoS Mitigation. The DOTS server replies to the DOTS client
that it can serve this request, and mitigation is initiated on the ITP
network by the ITP DMS.</t>
        <t>Over the course of the attack, the DOTS server of the ITP periodically
informs the DOTS client on the mitigation status,
statistics related to DDoS attack traffic mitigation, and related
information. Once the DDoS attack has ended, ended or decreased to a certain
level that the enterprise DMS might handle by itself, the DOTS server
signals the enterprise DMS DOTS client that the attack has subsided.</t>
        <t>The DOTS client on the enterprise DMS then requests that the ITP to terminate
the DDoS Mitigation. The DOTS server on the ITP receives this request
and
and, once the mitigation has ended, confirms the end of upstream DDoS
Mitigation to the enterprise DMS DOTS client.</t>
        <t>The following is an overview of the DOTS communication model for this
use-case:</t>

<t><list style="numbers">
  <t>A
use case:</t>
        <ol spacing="normal" type="1">
          <li>A DDoS attack is initiated against resources of a
network organization (here, the enterprise) enterprise), which has deployed a
DOTS-capable DMS - -- typically a DOTS client.</t>
  <t>The client.</li>
          <li>The enterprise DMS detects, classifies, and begins the DDoS
 Mitigation.</t>
  <t>The
 Mitigation.</li>
          <li>The enterprise  DMS determines that its capacity and/or capability
to mitigate the DDoS attack is insufficient, insufficient and sends via its DOTS
client a DOTS DDoS Mitigation request via its DOTS
client to one or more DOTS servers
residing on the upstream ITP.</t>
  <t>The ITP.</li>
          <li>The DOTS server server, which receives the DOTS Mitigation request request,
determines that it has been configured to honor requests from the
requesting DOTS client, client and honors the request does so by orchestrating
its own DMS.</t>
  <t>While DMS.</li>
          <li>While the DDoS Mitigation is active, the DOTS server
regularly transmits DOTS DDoS Mitigation status updates to the DOTS
client.</t>
  <t>Informed
client.</li>
          <li>Informed by the DOTS server status update that the attack has
ended or subsided, the DOTS client transmits a DOTS DDoS Mitigation
termination request to the DOTS server.</t>
  <t>The server.</li>
          <li>The DOTS server terminates DDoS Mitigation, Mitigation and sends the
notification to the DOTS client.</t>
</list></t> client.</li>
        </ol>
        <t>Note that communications between the enterprise DOTS client and the
upstream ITP DOTS server may take place in-band in band within the main Internet
WAN link between the enterprise and the ITP; out-of-band out of band via a separate,
dedicated wireline network link utilized solely for DOTS signaling; or
out-of-band
out of band via some other form of network connectivity such as a
third-party wireless 4G network connectivity.</t>
        <t>Note also that a DOTS client that sends a DOTS Mitigation request
may be also be triggered by a network admin that manually confirms the
request to the upstream ITP, in which case the request may be sent from
an application such as a web browser or a dedicated mobile application.</t>
        <t>Note also that when the enterprise is multihomed and connected to
multiple upstream ITPs, each ITP is only able to provide a DDoS
Mitigation Service for the traffic it transits. As a result, the
enterprise network may be required to coordinate the various DDoS Mitigation
Services associated to with each link. More multi-homing multihoming considerations are
discussed in <xref target="I-D.ietf-dots-multihoming"/>.</t> target="I-D.ietf-dots-multihoming" format="default"/>.</t>
      </section>
      <section anchor="use-case-2" title="DDoS numbered="true" toc="default">
        <name>DDoS Mitigation by a Third Party Third-Party DDoS Mitigation Service Provider"> Provider</name>
        <t>This use case differs from the previous use case described in Section
3.1 <xref
	target="use-case-1"/> in that the DDoS Mitigation Service is not provided by an upstream
ITP. In other words, as represented in Figure 2, <xref target="fig-2"/>, the traffic is not
forwarded through the DDoS Mitigation Service Provider by default. In
order to steer the traffic to the DDoS Mitigation Service Provider, some
network configuration changes are required. As such, this use case is
likely to apply to large enterprises or large data centers, but centers but, as for
the other use cases cases, is not exclusively limited to them.</t>
        <t>Another typical scenario for this use case is for there to be a relationship
between DDoS Mitigation Service Providers, forming an overlay of DMS. When
a DDoS Mitigation Service Provider mitigating a DDoS attack reaches its
resources
resource capacity, it may chose choose to delegate the DDoS Mitigation to
another DDoS Mitigation Service Provider.</t>

<figure><artwork><![CDATA[
<figure anchor="fig-2">
<name>DDoS Mitigation between an Enterprise Network and a Third-Party DDoS Mitigation Service Provider</name>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   +------------------+        +------------------+
   | Enterprise       |        | Upstream         |
   | Network          |        | Internet Transit |
   |                  |        | Provider         |
   |      +--------+  |        |             DDoS Attack
   |      | DDoS   |  | <=================================
   |      | Target |  | <=================================
   |      +--------+  |        |                  |
   |                  |        |                  |
   |                  |        +------------------+
   |                  |
   |                  |        +------------------+
   |                  |        | DDoS Mitigation  |
   |                  |        | Service Provider |
   |                  |        |                  |
   |  +------------+  |        |  +------------+  |
   |  | DDoS       |<------------>| DDoS       |  |
   |  | Mitigation |C |        | S| Mitigation |  |
   |  | System     |  |        |  | System     |  |
   |  +------------+  |        |  +------------+  |
   +------------------+        +------------------+

       * C is for DOTS client functionality
       * S is for DOTS server functionality

   Figure 2: DDoS Mitigation between an Enterprise Network and Third
             Party DDoS Mitigation Service Provider
]]></artwork></figure>
]]></artwork>
</figure>
        <t>In this scenario, an enterprise network has entered into a pre-arranged prearranged
DDoS mitigation Mitigation assistance agreement with one or more third-party DDoS
Mitigation Service Providers in order to ensure that sufficient DDoS
mitigation
Mitigation capacity and/or capabilities may be activated in the event
that a given DDoS attack threatens to overwhelm the ability of the
enterprise’s
enterprise or any other given DMS to mitigate the attack on its own.</t>
        <t>The pre-arrangement prearrangement typically includes agreement on the mechanisms
used to redirect the traffic to the DDoS Mitigation Service Provider, as
well as the mechanism to re-inject the traffic back to the Enterprise
Network. Redirection to the DDoS Mitigation Service Provider typically
involves BGP prefix announcement or DNS redirection, while re-injection
of the scrubbed traffic to the enterprise network may be performed via
tunneling mechanisms (e.g., GRE). The exact mechanisms
used for traffic steering are out of scope of DOTS, DOTS but will need to be pre-arranged, prearranged, while in some contexts such changes could be detected and considered as an attack.</t>
        <t>In some cases cases, the communication between the enterprise DOTS client and
the DOTS server of the DDoS Mitigation Service Provider may go through
the ITP carrying the DDoS attack, which would affect the communication.
On the other hand, the communication between the DOTS client and DOTS
server may take a path that is not undergoing a DDoS attack.</t>

<figure><artwork><![CDATA[
<figure anchor="fig-3">
<name>Redirection to a DDoS Mitigation Service Provider</name>
        <artwork name="" type="" align="left" alt=""><![CDATA[
  +------------------+        +------------------+
  | Enterprise       |        | Upstream         |
  | Network          |        | Internet Transit |
  |                  |        | Provider         |
  |      +--------+  |        |             DDoS Attack
  |      | DDoS   |  |<----------------+         | ++====
  |      | Target |  |    Mitigated    |         | || ++=
  |      +--------+  |        |        |         | || ||
  |                  |        |        |         | || ||
  |                  |        +--------|---------+ || ||
  |                  |                 |           || ||
  |                  |        +--------|---------+ || ||
  |                  |        | DDoS Mitigation  | || ||
  |                  |        | Service Provider | || ||
  |                  |        |        |         | || ||
  |  +------------+  |        |  +------------+  | || ||
  |  | DDoS       |<------------>| DDoS       |  | || ||
  |  | mitigation |C |        |S | mitigation |<===++ ||
  |  | system     |  |        |  | system     |<======++
  |  +------------+  |        |  +------------+  |
  +------------------+        +------------------+

       * C is for DOTS client functionality
       * S is for DOTS server functionality

  Figure 3: Redirection to a DDoS Mitigation Service Provider
]]></artwork></figure>
]]></artwork>
</figure>
        <t>When the enterprise network is under attack or at least is reaching its
capacity or ability to mitigate a given DDoS attack, the DOTS
client sends a DOTS request to the DDoS Mitigation Service Provider to
initiate network traffic diversion  -- as represented in Figure 3 – <xref target="fig-3"/> -- and
DDoS mitigation Mitigation activities. Ongoing attack and mitigation status
messages may be passed between the enterprise network and the DDoS
Mitigation Service Provider using DOTS. If the DDoS attack has stopped or the
severity of the attack has subsided, the DOTS client can request that the
DDoS Mitigation Service Provider to terminate the DDoS Mitigation.</t>
      </section>
      <section anchor="use-case-3" title="DDoS Orchestration"> numbered="true" toc="default">
        <name>DDoS Orchestration</name>
        <t>In this use case, one or more DDoS telemetry systems or monitoring
devices monitor a network  -- typically an ISP network, an enterprise
network, or a data center. Upon detection of a DDoS attack, these DDoS
telemetry systems alert an orchestrator in charge of coordinating the
various DMS’s DMSs within the domain. The DDoS telemetry systems may be
configured to provide required information, such as a preliminary
analysis of the observation, to the orchestrator.</t>
        <t>The orchestrator analyses analyzes the various sets of information it receives from DDoS
telemetry systems, systems and initiates one or more DDoS mitigation Mitigation
strategies. For example, the orchestrator could select the DDoS
mitigation system DMS in the enterprise network or one provided by the ITP.</t>

<t>DDoS Mitigation System
        <t>DMS selection and DDoS Mitigation techniques may
depend on the type of the DDoS attack. In some case, cases, a manual confirmation
or selection may also be required to choose a proposed strategy to
initiate a DDoS Mitigation. The DDoS Mitigation may consist of multiple
steps such as configuring the network, network or of updating already instantiated already-instantiated
DDoS mitigation Mitigation functions. Eventually, the coordination of the
mitigation may involve external DDoS mitigation Mitigation resources such as a
transit provider or a Third Party third-party DDoS Mitigation Service Provider.</t>
        <t>The communication used to trigger a DDoS Mitigation between the DDoS
telemetry and monitoring systems and the orchestrator is performed using
DOTS. The DDoS telemetry system implements a DOTS client while the
orchestrator implements a DOTS server.</t>
        <t>The communication between a network administrator and the orchestrator
is also performed using DOTS. The network administrator uses, for example, a web
interface which that interacts with a DOTS client, while the orchestrator
implements a DOTS server.</t>
        <t>The communication between the orchestrator and the DDoS Mitigation
Systems DMSs is performed using DOTS. The orchestrator implements a DOTS
client while the DDoS Mitigation Systems DMSs implement a DOTS server.</t>
        <t>The configuration aspects of each DDoS Mitigation System, DMS, as well as the
instantiations of DDoS mitigation Mitigation functions or network configuration is configuration, are
not part of DOTS. Similarly, the discovery of available DDoS mitigation Mitigation
functions is not part of DOTS; and DOTS and, as such such, is out of scope.</t>

<figure><artwork><![CDATA[
<figure anchor="fig-4">
<name>DDoS Orchestration</name>
        <artwork name="" type="" align="left" alt=""><![CDATA[
       +----------+
       | network  |C            (Enterprise Network)
       | adminis admini-  |<-+
       | trator strator  |  |
       +----------+  |
                     |
       +----------+  | S+--------------+     +-----------+
       |telemetry/|  +->|              |C   S| DDoS      |+
       |monitoring|<--->| Orchestrator |<--->| mitigation||
       |systems   |C   S|              |<-+  | systems   ||
       +----------+     +--------------+C |  +-----------+|
                                          |    +----------+
       -----------------------------------|-----------------
                                          |
                                          |
          (Internet Transit Provider)     |
                                          |  +-----------+
                                          | S| DDoS      |+
                                          +->| mitigation||
                                             | systems   ||
                                             +-----------+|
       * C is for DOTS client functionality    +----------+
       * S is for DOTS server functionality

         Figure 4: DDoS Orchestration
]]></artwork></figure>
]]></artwork>
</figure>
        <t>The DDoS telemetry systems monitor various aspects of the network traffic and perform
some measurement tasks.</t>
        <t>These systems are configured so that when an event or some measurement
indicators reach a predefined level level, their associated DOTS client sends a
DOTS mitigation request to the orchestrator DOTS server. The DOTS
mitigation request may be associated with some optional mitigation hints
to let the orchestrator know what has triggered the request. In particular, it
	is possible for something that looks like an attack locally to one
	telemetry system looks like an attack is not actually an attack when seen from the broader scope (e.g., of the orchestrator)</t> orchestrator).</t>
        <t>Upon receipt of the DOTS mitigation request from the DDoS telemetry
system, the orchestrator DOTS server responds with an acknowledgment, acknowledgment to
avoid retransmission of the request for mitigation. The orchestrator
may begin collecting additional fine-grained and specific information
from various DDoS telemetry systems in order to correlate the
measurements and provide an analysis of the event. Eventually, the
orchestrator may ask for additional information from the DDoS telemetry
system; however, the collection of this information is out of scope of DOTS.</t>
        <t>The orchestrator may be configured to start a DDoS Mitigation upon
approval from a network administrator. The analysis from the
orchestrator is reported to the network administrator via, for example, a web
interface. If the network administrator decides to start the mitigation,
the network administrator triggers the DDoS mitigation Mitigation request using, for example, a
web interface of a DOTS client communicating to the orchestrator DOTS
server. This request is expected to be associated with a context that
provides sufficient information to the orchestrator DOTS server to infer,  elaborate elaborate, and coordinate
the appropriate DDoS Mitigation.</t>
        <t>Upon receiving a request to mitigate a DDoS attack aimed at a
target, the orchestrator may evaluate the volume of the attack as
well as the value that the target represents. The orchestrator may
select the DDoS Mitigation Service Provider based on the attack
severity. It may also coordinate the DDoS Mitigation performed by the
DDoS Mitigation Service Provider with some other tasks such as, for
example, moving the target to another network so new sessions will not
be impacted. The orchestrator requests a DDoS Mitigation by the selected
DDoS mitigation systems
DMSs via its DOTS client, as described in Section
3.1.</t> <xref target="use-case-1"/>.</t>
        <t>The orchestrator DOTS client is notified that the DDoS Mitigation is
effective by the selected DDoS mitigation systems. DMSs. The orchestrator DOTS
server returns this information back to the network administrator.</t>
        <t>Similarly, when the DDoS attack has stopped, the orchestrator DOTS
client is notified and the orchestrator’s orchestrator's DOTS server indicates the end of the
	DDoS Mitigation to the DDoS telemetry systems as well as to the network administrator
the end of the DDoS Mitigation.</t> administrator.</t>
        <t>In addition to the above DDoS Orchestration, orchestration shown in <xref target="fig-4"/>, the selected DDoS
mitigation system DMS can return back a mitigation request to the
orchestrator as an offloading. For example, when the DDoS attack becomes severe and
the DDoS mitigation system’s DMS's utilization rate reaches its maximum
capacity, the DDoS mitigation system DMS can send mitigation requests with
additional hints hints, such as its blocked traffic information information, to the
orchestrator.  Then the orchestrator can take further actions such as
requesting forwarding nodes such as routers (e.g., routers) to filter the traffic. In
this case, the DDoS mitigation system DMS implements a DOTS client while the
orchestrator implements a DOTS server. Similar to other DOTS use cases, the offloading scenario assumes that some validation checks are followed by the DMS, the orchestrator, or both (e.g., avoid exhausting the resources of the forwarding nodes or inadvertent disruption of legitimate services). These validation checks are part of the mitigation, mitigation and are therefore out of the scope of the document.</t>
      </section>
    </section>
    <section anchor="security-considerations" title="Security Considerations"> numbered="true" toc="default">
      <name>Security Considerations</name>
      <t>The document does not describe any protocol, though there are still a few
high-level security considerations to discuss.</t>
      <t>DOTS is at risk from three primary attacks: DOTS agent impersonation, traffic
injection, and signaling blocking.</t>
      <t>Impersonation and traffic injection mitigation can be mitigated through
current secure communications best practices practices, including mutual authentication. Preconfigured mitigation
steps to take on the loss of keepalive traffic can partially mitigate
signal blocking, but blocking. But in general general, it is impossible to comprehensively
defend against an attacker that can selectively block any or all traffic.
Alternate communication paths that are (hopefully) not subject to blocking
by the attacker in question is another potential mitigation.</t>
      <t>Additional details of DOTS security requirements can be found in
<xref target="RFC8612"/>.</t> target="RFC8612" format="default"/>.</t>
      <t>Service disruption may be experienced if inadequate mitigation actions are applied. These considerations are out of the scope of DOTS.</t>
    </section>
    <section anchor="iana-considerations" title="IANA Considerations">

<t>No numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>This document has no IANA considerations exist for this document.</t> actions.</t>
    </section>
  </middle>
  <back>

<displayreference target="I-D.ietf-dots-multihoming" to="DOTS-MULTIHOMING"/>

    <references>
      <name>Informative References</name>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8612.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8782.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8783.xml"/>

<!-- [I-D.ietf-dots-multihoming] IESG state I-D Exists -->

      <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-dots-multihoming.xml"/>
    </references>
    <section anchor="acknowledgments" title="Acknowledgments"> numbered="false" toc="default">
      <name>Acknowledgments</name>
      <t>The authors would like to thank thank, among others Tirumaleswar Reddy; Andrew
Mortensen; Mohamed Boucadair; Artyom Gavrichenkov; Jon Shallow, Yuuhei
Hayashi, Elwyn Davies, others, <contact fullname="Tirumaleswar Reddy.K"/>, <contact fullname="Andrew
Mortensen"/>, <contact fullname="Mohamed Boucadair"/>, <contact fullname="Artyom Gavrichenkov"/>, <contact fullname="Jon Shallow"/>, <contact fullname="Yuuhei
Hayashi"/>, <contact fullname="Elwyn Davies"/>, the DOTS WG chairs, Roman Danyliw and Tobias Gondrom Chairs (at the
      time of writing) <contact fullname="Roman Danyliw"/> and <contact fullname="Tobias Gondrom"/>, as well as
the Security AD Benjamin Kaduk <contact fullname="Benjamin Kaduk"/> for their valuable feedback.</t>
      <t>We also would like to thank Stephan Fouant that <contact fullname="Stephan Fouant"/>, who
      was part one of the initial
co-authors coauthors of the documents.</t>
    </section>

  </middle>

  <back>

    <references title='Informative References'>

&RFC8612;
&RFC8782;
&RFC8783;
&I-D.ietf-dots-multihoming;

    </references>
  </back>

<!-- ##markdown-source:
H4sIALWHAl8AA809a3MbN5Lf8StQtXW11orkxnYeLiW3G8VOvN7Eci7SXu4+
ghyQRDQz4A5mSDOR/8v9lvtl1w8Ag3nRsry3d6xULHEGQHej392A5vO5qE2d
6wv5N6flSjnt5NpW8sULey3f7HQpb7aVVrW8NptS5abcCLVcVnp/IV+8ubmm
Uc9xlMjsqlQFTJRVal3Pja7X88zWbt44PaeJ508+E0IomO5CXutVU5n6KA4b
nkncHi7kq7LWVanr+QucQ6xUfSFNubZCrGwGa1/IBmZ9JnbmQkhZrVc6c/UR
oT8CBFLWdpX8aMpMl3X4wtmqrvTaxd+PRefXujKr+PLKFgWMjU9NCajHZQDV
Qu12BBB+I1RTb22FMOFn7v/FYTDDTwv5wi6X8HP8ngn1k81VmQ0e2gqmvayW
sAtXuj7Y6rZ9BlBqXV/E39ulVkDM0e9tpse/b8q6OsJOABpqZysdH+lCmfxC
VhkD9rVCWBawLeP4vVjI12ajmrzu4fdClUbng4eE37dAbeds2cdMPnvyxWfy
plKlA74qVaaATE2tu3jKa2XKWv6gmgp2aSb/7XkXX/nptfzkm8+HyPKUfUwz
AnRRMKBfaw/bArhgcktfW3drD6b+dbCpS13VI48J7b/c3MjntnSwDIrSPbdV
vlG38kdV3c7k61d9TJ89efrFENG/XV8O9nNTfJ2rpVts63q+YiCmUbxayBut
No3u4XdlbvsPCLNXlS0Ba1getga2vlbyuUZxdnKwx5N4TvHv+IOA6vd9TGFZ
BPBrAzAVHiTAdNHcjuP6w0L+h1E9RH8wqtx0vucdbNRBmwFKV3YhH3/yeCav
7bo+gI6Tl3tdNnom/7PZNkANI18Y1jE9nK9U+UvKCy2vbk05YNXvQDJuF28N
qGIA7+stQTO9i98vYMPc1vza3Pbx+17hvyOPCc0rYtSiaEoDWtjYcqCD5EsA
BZlSPv78O/l0/un8sbzemiXIpAI+BdhrO79tetje2Nuj7W3u40+ezZ89fvxs
SIK/qp0q+yS4JcC/Lut6//nilx2YlPl8LoGx60oBdcXNVp8wX/IRWpszqddg
5mppHBCq1mApMjAZclfZvcm0gH/BgNjc4ZdrtTK5qVWt6d3K7nSllvjVUapV
ZZ2TmXE7VeEbuLIoTA26BMkGZidviH4gT1tYDWxHg6YFltIOTYx0qtjlWjbR
/h62ZrWVmXaryiy1qLd+XcAOJ5L67U6vagB4CeZBA474Bllj4IOdLWlWBfPo
PMd/ybwW2jm1QQLot6st8I4miACGZGXk20IrgA7QNmg9zfqI04sIAEzQW2om
t/aALx3hyxw0jEVCzCTatsMWaI+z4hz1cQfMlJNFrwomD6yz1BGkbMGbWZgs
y7UQ4A9UNmsIb/nb70zy6zvxr8lHiMuayFAb4Gm7lgdwLgDWGe4MSN2yQXoB
QiA4c7ueO13tzUoDM8B2nUlV12p1O7ptBH2uqo3Oj3IJVMpks8MXTG51NkOO
2VXg7KjqKFYdgZFutdUF7qeptxK0QQYWPber2zkoSNgWBXNkeg6MCLvpuWMF
7A58AZoZqEQIgaJemw3IFM45YwZ18CMhR5zID5DauD97ht+ukW9gY1tElho3
T8mt2WwBl0KVDWwGjgOVhVwEpGO7UOCLsNIKeGYhLrPM4Awqz48zgMdWGQo3
vlOgHUPmJXkbI59wBl9SpbaNg1UBx3Wlms22ZrIsLfyv1qttSayB0PiF55XO
gY8ysW0qYIYgPxsUZ5yoXMFPyLSRCDAeuTLXb1EySYpmRMamKmfgTJbAAJtK
ZcSNqABgydURuaWFHAQ+sOxGlzAxIB0olumdJpdS2vK//wsoiRSD7wEO5tAl
yQp4lq7WxeLjNJEDGQfhSzURAnZKFwV1kJk9mN0TqojIrGGjEUsESlc024bp
SDTTVYFMxJIBqMMeMaMlE1b67412qAGI+/hVkGRUFOBE/cpv7eABePWwgSCl
jgnSFa9lZVWGdNaIEdIdmEWqwgKRWG5gCdQgIGkFCJrcWNhr2DfSRMYlmpv2
ap7rvc5TpcmTuVpkBsStIi3WgWMmXQNKF8TSoxreYKzcDDQgIE5s/0ckThCB
Pucr50DjqHIFGhDk3ZMI30QE4EkNqAHoqj+S+KVrIAijEQNBnOAfZ4Dmrqkp
aEPmwwVNpSl6kb/99uefvnv+7PPHT969oz2C6YD9vHZg8rUM5t/+4hm8HX9+
+u4d2YmelShtDVp7qxrAba9p7nVTI0N13hPRVsEWAVCgRoNFwn1Tmd3hQ+LH
vc33IOZgz2+Ivja3myM9ugQjWx4LgPB3dftoDo/myj/qmoOuaeiStVC3ABtC
CbtA4opuUN1bMtNr2nBiUSdSQi4gTAXIWSlKU+Ncjo0PTOJ4KOitpc7t4UKI
P/BOv2555JoUBMj/6+szCPW8wvDbqiu0jm7IHlGbDGcqFEo/22S0UMRfqxw2
ByQbfgGRzNApFYDaH4FRXHBSwdbYpgJ1O5NgItHxymE3cgfWv6T9AGIAG4Mh
Q++qJh5TtcD1aqAj4Loia+Si+ECwRlMixzuLxriCCfNA7BYhARyhgI22uppA
azFCuwviRS/UnlboCbHmnZhHjm4CuwAXXiZACZJJ9o5BlC6EUqyAkoBLhb95
DHRHPSzktwrwD6Nds0TnbUcLNa4hKxIo6hcWP5CSugQFTNIqH13/cHnGTLBV
zntGhQbX4BVZB5ZuB86HM17jBzlGSK67kBOsEAOAKkK1pU/QB94E91CTAwVi
AWC4MdLHFX70K3RIh9OrDGTIEKegUkD3sSYLBq97DTg1KSwo/xDzP5wAANEK
S8lHr25+PBssyCswzTKdk90jigAIaN5p92TcvZLTKURQdAeWxN5x0T5+4tGr
6x/PSI3Da80OAx9VhEX9egGvZEX8FUYi24mYHwPdFRNho8oK3g0r9Gm0RJ0k
4+NpKrVrzB+/Q0965OP1YVDTMc5w5MbDOhS1g6V1LLvIcxwKoH/lSSk8KWXU
BCrbA6epjWblA9HNHPwwtnzkySEi5PIZMEywm+hlgCvZEyqVihXMDAaDpoBB
Im6fEN8BZCvwylkI0MkHyBz5J7QZNA6kN4BJzlWGnjlaG9dFM0zMOjCaBLfS
JawAHLTb5UaTRKoSNt4eSr8TcSB4o3mDPC5SaqEhWeW2yYC0TAk/IPhCxClA
imjqwf0u0fvYE1vbwOQDQA1pBJUDFBlQgEMFcLS2Qc+acglBNFtWUMn8S+BR
rzaSjQ50opiNwkYyD34y/5SiAnDuCnTTnABPx66M8sZ9YsKfL686SHkvnj13
dv7BLeoEOQQE4xC0F0c0gTlGtIdkrhaOvVRcErehAhIfrATIM3K6pjRa8Jwh
+pogCuqJmx/JmpMzFGURdg9lINW0I2AmBp/CR2CTlQaCUEDmfUQIjGwxQUdP
Nh9B5xhqVmwLMheoT9J82Pp8wAgeKPUlChxLF+n4N/w2m2GIwbNZZEpCK+QA
unohUsaxV0s+BO1QGUQXieY0Um4kYhhhGCCNSBVBjfgqL440vw+ocEODaFJY
YCGalOzXUzJ4q8D2QNhpQD90Eyd+m1vfdwVyDZaXYa1Amy/kd96PdqjUACOY
CKQfk1dgCMqc/Yy1qSCWiAriYEBilqhKa2VycskZfs+OC3kFtr6CkRDHciiD
jywuG+YgcSa/C76DqI6rMAAk8varsl02DplxtAIcUfOS36EIafl4Nr5bgrSv
0/l6juoIxsRyC0aVHPKDS1Wjrgvu3M966UkDIRCXOTD6RPP+4uo6PiIS/rt9
9WP4hlwYhbuKIOb2SFqColmgCe4a5ib8uyRgqGRD5oQkoetfpT43TGTLOZiY
wvgwF51uCGhRCHY+HJ71OQwhAppTlhCgQWqIYItiyWuoHBzLlAcEeIcCZspc
WYAeHuYstUtA42CyqINNRdoPQv3bR+4M45qQyDwfWuXzU8/iwDv5bYtP+Cr+
EB2E+FUy0JeSZPuw/WHgUKQDB59kYHQ8xlbsonPeGZh+iO6XnIHrvXHHD+n3
O/nVVIjX+lCD8TfkCTx0/BT0nU06H0G7S6/4+p8iQv7d9wwMaFzDTwln3n8g
/ueNz4et+ME43k0/+78dOMDjvgO7e/VVK6TvH5ju1fMpvh8b2Nur+w4c4nif
gR+shkQyzR/kc0rmeisVTOm6KVeci8XQr/P+ded91v299+OAYMou7hP19BQ3
uwld1wKXDk4m6H6ybhQ1muAuryxlvcMqIvjKELM3BVUotAZf67NP/iV4xTEV
TyWBPpSg+gWqfrJIq2iPEBZyF4InNJ0/jP6giLPXHvUQ42MZukL/aLfFUIvD
m5irpVKOa5ND7BLrTPjakHeoQhaXnLLKbDa6mmF1AGI5tutrg9vz65hjm3pU
PYoHL55CPZfkahoXikicWEziG9opTHZy+lJ1WOuwBd+qnXLwGnOU4OqZz6Zj
Rtvbem+SaQnvnum3lFkFOvw84jbjm7kld9vTlOLGEFmNxqnkUMSkmnykF5vF
rPWS0O9ynFBI3J0zjucKIA7GD+DdL/XGlG5Ib4D0RRNTDitYpU1jMiizTvTX
Y+LpMC2wN3Ibsjh6OW5r8yxuY48w2gFhYh6mn6vEfRW9EelWUhInj5FLqhB8
LJsGWIIyWYaDqz5FiIXSCSodo/Weny9Y4jn3Q28zG3gBYGZPRJF4iJfNAlwI
TiCaTzoiNwKCsDdvcP3TO9NBdd0mADQ49JmP7bg+6vrgBxDSig6VE2ZUViAF
4KSvmiH6HQ71nNAOZnRDkS2pyS4gKFwl+UI/A7rPVJ0i/s00l98yn2KDsEGZ
UnDhheg8wjSFwbofRpkgyEA9EBaIRgaEEZE9hlOk9IjLJBBi5hXztqH6NiRf
b8IaJb9VgX4/kHl8kUe3KdZTbNfyh+TYnkSj5S5BmZhA2GQPE7qShQo7r6kw
2woCVfMS1TsaQqcIexKsbZ7bA+XQSH9h0LI3+hDYL1Tz28q1LGwGu8gVJeNE
yCleCPF4IS87XNGREbVRmAdJFCCmBKK82GqjylAVfLQFU9SP0c5878OWI1sO
G5VAEOcU2eWM5bzNhHSNBOD8pG9VfBBKCnyGWUOwsGujfdDqVW3YY9HVtk8H
k8XZkDtCLQ61frDz0tdY2ki0l9fQQwK6BoXTUPoiJE6c3BtFM1P/RkhVMLZ9
O5zkVcAfQQEt0DFIGNRxZhL5YETFAqqfDnmaNyNhZ/94uLAYUoQ2cYlZtcTx
Avi2tmzroq51cpJKabKhTA8aEyogjCmoj7YuFSyvPZReFX+2kD9Hf6FPLRQE
zEfqoeqp9KbJVYV5HvS1ikD/wRy+ktvsMraCrbURkRU/x7RFr0KVkLczxZg2
E9wNgAU7r9YSgIMSjGCOs4aIxeph+i0BBqD9YsgAUQe6/rQpn+LulbY266A/
hqYXsx9XNmDZ65NJ25hSse1l6DqeMBndBNJYh9jlaoUO0HxJuWxw/HwjTYF9
idG9D5mZqcUT7/VLTKBj0xDNiEKJZUJu95oB44eywsGAMQUJiE4Vzd/UBn3n
DFsNsFmkDYBCHwjMX4n+Elw6pawsMhAq0jBtp0YQ8nQKrJSpsjmAhb0vCIp2
Tn76cnTYwu8GZRy54WVoWXlz1aTI+7iC5+C4gflctflhLAjybNxulB87Rk70
GDLdXmrdYQ1Eme1U+P3SjiJOUCAC886tR91SBeKcJbaXHByaaKxmtftV2CUq
iGTckCxj6XTQHtT3tLWFb13wpOUUZ+yJSpEBY6OxQOyDIUokkzVLOlfUwMSH
8kTo7QhOnKlDJOjAHjuu0cGy3CQz4t57evneEFLDsY+LKbvHjHIzEHMRk6Dd
ag8hg/ztI1BCer7lGDpEmip2+AhfoOM89W+//fnV/MWiPSEQyAmD373DGGek
/okFkCrDLmjg7/dVptNC6JN7F0KphNBaJKxh7okog1opoXHNUTb4CI9l4PIT
FW7cd+yaiZ0FXNUNXCLQCmOWm4Ueti1zlOGHeIY7RTtJ/iezLkfQ3AIY5aAq
alvYVlQXOQVQpNYSA9w19r4jBCJWZV2tdZfzgmZ/z4wz0l8iUT1Jec93n0ru
P2GOJDZGqZ2x0xwpDu5nbm5RcdZciKUfqB8zkUmHss1fZth5vuLOcy7oKso6
ibbM1XYo+S2B6DdvHPgDMHtuwJjGkib1jlz6LpXQvxprNsFDTsENwlpp38Gh
Yvnbbc1OBHvzPhIC8Kj4qULITnuuqNaN/o3EfIWYLIe2OxviDKozpm4n9ixu
kQI1OYbeXW9zVYaV7IrqNIAIBAR6M9VGAlpvspOnBxHS86Hpx5jTfFgR5KE1
kIeWQD6qAvKRBZCPrH/cH/RRlCdI9bBxp1lhetzY539zvbsB79+XLgOp/UfQ
81RJYLK0M1r1iJ9h9Up2Bk5WPa4nq1fvKXpMFq8eiuD/35JHsOsXUzl2NAOJ
4rtKmlPINUpX5s/9fCXfXYDdCm1jwWi3B2eqanLzTUl5P2zzUlVFZzfEiVKG
il2OlIpPcxRp3DLlAEej2Gka8x3sHKzEDMqg7X0yMYNZ4hDE8MmJ0LoBvsU+
JoyV3IBrUHbTqb4LwA3bAFTszex547933El49G6InxVzkL38kF+EuospqeFT
eQm1iZZtEoz7z9CpioQO2WKN/pZxBeXxyK+B/QOfa1U/zLNTToSDRZ35eea5
KX/pT70kivH8LQeLq9Da9JOHJ00dvM+xaTuhfFutk9+8xEY6vTZvgcilBSnz
hKioVaVqV5n5WlIEF9340A2+qpolevg9wkxHVW1lCwJ3UTcQC9LxjpbyoQ70
8qdvz3xC8S1w3GBvyHX0y5LvTX4b9uGBG4u9SNQY5M89sHNLtcRS88YuOyyS
BTSxpQjTCdj8ot/WvrknuOHc883dSxzE+pDWVwt9u6TvGZPcjcTzqdD43k0f
3y+f03Zhdcsh7/dpFR4ACRGOCFn3FaB97HQZh7oLJxEO3NtOp62GQC/ERCfc
NGr9/BTl/vrpKMVdmZwT5WiDevA2duCTt67xAz3jBzrGD/SLH+gWf4xXPOYU
fzWgRgLO+Xni1Y76xPDxvAac3gHhTt7RBB8Cd2/03f1o9RGDIzh3Cf73HTz6
zT9l5TFf+QMGDx3mfyi1P8iz7A/+MP95MLiY8KGve88wljs/7w12Jxzp9JkP
BM/PH4jzQ9XUP8uZ9r7004u+a/H+jMl4K8hEBzX5c7XMtXKk3SmpEk4rRLcT
X/I+Yfekw8CtbKs7odzXycH3qzfv9ZGsiG0TAYPgXvAZURyGZ+ensoxP6Wk5
4tpzIcHgsdw3pTdmbeP3oEXBHz9vHe6domzwhKuQdt7HyuwpVNOeolfrvgvA
nQG13e24moZ+ucOO7NZPH+shGBbbsHEk7gJMco8taGtoY5sWkt1v2lImnXSP
2eun09nrELaF5OOsW/rFaWuNPVJ1dfTi7/gxMIVF31JkmpP7/qukcjPvlNhL
PM/UnnaZOD3D9ZU2/7oAn8OWST9ae4Qj4fdwUHkIq8rxJpX+AURDGeSKDxp1
TqPjjsQ6xuvr37u0/JdZLAD6Euc4bZg1RbdcHaozsXaSdMrMkkLTDot/uNHV
UShQR0dnXOAtu0Rt5Yd46U1x8uFdB02ew/vXASuna5o0vUHB1G2FPvbND6nJ
BdugD9yQV5KTmQSD3pB043kI3yc3GwDugwcHi63a4kfnzDmbHTMp4rYiUNKq
iPfoRwpBPhvE64WjQoNsNN0mgEKKOyr41H4Ih4GpdSfSCL53GtTM8NAKX4/g
q5VMFyzEx6WRW6hQ2C+sbS3mzBWdpqDTuJ6cx45CHvb2tayZIENJeIzFHEWA
obgIW6R37SmNwLIh/ElFknqIMl8D8AfGktNKQ90eTCoeasUsSMMXP3AwFMSN
pRklrugCG065QqAJcQNQsD99W21Iate9vlZWJR9S8fMi1I3WQsLDV6en+1db
1m3lhuxYVJWtUvImqauTBv2tou1vHdU292hzFd0lJvpdRxGPKcNuJd60ymWI
hAgnkKY7dccnw+PvVKxq9QTV3fnOmDW2Y/ieXH8Wy9+Iorp9Pm17bxeqh+A9
2KDUkeiUt/2unmxQPr0PYtCePK61XDt0ApPOGUi8/4OVPdXax+ecpdf81HRN
T3Jksj3yOCbdKGPjBVrjBBWqQfBCsmkhr/lAXdAEWNDHvCf5T2qv4NlyeA+M
aFcL1e9k0i/54JdXBMZ10lzpealuPHEuO5/0rbuIEUZPyefRMHN+1h3oeZpi
tvPuI7/z3QrEEKi7YQY+CaJGPycmk9e9EOq8/1YPzKhh/kgh2596axI9rtMI
9K47vtV1FLXC+Dcp34cv28296yB8FxRku1R3/a8YreS1E7SUgwjy/Hk/FD0/
QfDRz11/nXT8uJfd+dwNvvlQAD7y/UeTZ2DOAoIfTpJJjrrX8BMcdY/P+SmO
ui8IUxx1XxCmOOo+GYreDOcPzVj4jw+7P/VFwE5UKERyodRI8OJDuBAqJAYk
8Qhj/E8XbbHFE+T3FlphNY3rSsrxFQU3fIVYcH0q3TlElfbIYUi499WW/nzC
X72ALbyUIuFwyd+TI8OZATydk3SZpTT3aRByqk4cJ+8Y6tTCxsZWMTI4lADb
pfmgNHVg7nirOg374Mc47OnO+cqU7rK3pT3wtXd0iUvsi0zaFynYQENoVthr
HG5zgGDBGTSia0/Desv+PKaY/Dkk39898CZza2+dxE6p5Ai+N7ngcTUhjPdP
aMscekqx2Y3u4MKmZKox+YJViF8TBM/wnhKiHsScu7pzimCEuHH+LtsK5/2X
U9sm4w0H7C9i2gnJm+tsU5DPiI1He2vwGIvvg6ZLQAJQEQhb9U8ndZ1MZoEN
phZsnvvrv1S89w5PwOn5plLEr9T4TLezYeNdG4kLwrXTSDkU07R+TXc45D4z
JBKBceEePO4LLWU/oUCiNgjPugEDxafulpBPUElTB6c350u8EAazZCH2y/M2
j0OZp04awo1WKcdSG+2BxCTPAn5rVY9EaHRbhtohMXAjEOKJqIb3NZIqHizo
R2qV3tkqubVkPKrZG3U6qImJxvHxeDNWxgcDGLW6c+xnJqaHeqUxerQu8jQF
KX0IBbY7t2EX59vS/GUbLaFmmdCaotWa7fklaZKLR31nY09jqlBhJp0l2vvr
2t6M3tWfJ6WfTv2tkf2kDreK+tp0aF0mIhJzgGs/djowVVa921ambx1Shhq7
a0xMUKlwRE0hD2vgyCY2UPMRy242udcrge8nBz148jb17kbCTcxg9dJrp1t5
6UyeT3b5a01DqpvuvYppq14DeH/m/t1q7891J1aT22XRiwhJHuJUETm1sPt4
cRZTIbkNLkgFAFnqA7CD4yvmuNfB1gJ4D2JpusZjhGTxaNFIusdf0EkEHUl9
BS2dnrxqDyK5yf5vaosYAJJKHttiPHeWTXeKQ+DNt8Hi9So9WIdXrDKsIwRI
GxHAMDZV6Yb6Om3KmVCnQiRBfzwJMVFXmTDlYgT/sezT711H9sNlXeRnDS1U
65Im6Y8TuPjz6dlEj8mCiinJ9TK+kcvu9YgjPhvuy0jGm0tFSHwm9YlrkLoW
ittt7Hqdg0MGQtJLwY/uw1KDZkdNi5Ku2+6aUZYBUvOhJA8LaoCkHRw0xFtT
NIXoXVwwOpc/St0t+UUBpCt2Et+DPOeY9sW1lngfctJsNbQPHeKAnN1sx/J7
CAb126ybinRIuPIpLJYeL/SnJOg+NpsliegK/9JAxXd+m7zunn2goxE1X9Ls
9Emi/MNyuyHrRn4/4UVP4wEGL3SRV5I765xrinAYk5QyGB+ThRMYenXL8Ryf
Dk7OJ76+Hkoy1RHosjYfF7DTHe5/9Yq8c+oXvxjQmap3KsOrsJAamXFVswse
ZQ7+d20K5EZ/jaY7CzeUj8Mecok9z4qzinzneKXXtu2fI7kN3ikXBflSWNJ1
/i+S0N9nSI4v/fY755/MuwebJq+cZVMQL5zNrOZALFgP6gEN1+7GG8wIWoIb
SIoqTa71QSTXGQcw+uer8HQGH6/Cilm4WRf8CoPeP3vBlcYSG1+e7G+y8n/A
RW1IPRdg750tg4JjlhexO9If94xXV5PcknIC1ZmOZeUepfmXUCxL23Hp4s3g
e8WjSgKwqzjYXzVVL7OPh0Qd1odQrpHF4oWLsmhquse8AQKWdWjnA7dEJwFG
p7iJlTNULnTDGyuTHC/xB6a41Xqn8F7PiAOCS7E6hdABan9FQaQDN2OCU+Av
DfchvSliUE/xXgGeHkDJR40E3VnWnpqP4bnmW3a9bs3ZH8Db53ExbiDmO3WD
ZhKXORXb6n49BHsPkxvNH22B99cNIHJGDOmaJTfr2oiI8HogQgI4seL056a9
j7azKMKmkxkB9mvviveX4bl4TXdk384N1Z4b1nRdiSm7Fy2LcPwwVRU+esRY
pAKlukJnbE16BeZFEvTaVMIl43yLZxZUyvCQ4qiW4OIHcvnl1WVPNYzf4npl
Jb3bW4AuQ21PjEXNI4BonazGYFpWJ3z3nvNtrJTpIQOpylt/UzptjJM3pmoK
lWsHuhf7n7Ljl/KyzCpQJq8x7i3BXH8pX9utQuf+G9usVKZMBS9V9RGUxUu1
rwxo2fLW7r+Uf0VPf6vQSOCfMmm22oi/qKNyWzOT3+aHI/6tl70Jpoh2+ueX
2KFh8AjbT7ZQ+EZ5zM2BzyrYpQFT+9ICSBjLRweOPJaohC9fyG90+YvC88Pf
q6y5DefqTEVhFFWb1lpnS77J8md/aneMPNcg8fAD+FGNCoebD7Bwaj+4Lp+L
lZ0HSvdshEM2+B9tAT9wMGsAAA==

-->
</rfc>